Skip Navigation
Signal under fire for storing encryption keys in plaintext
  • Restricting access to files within a user is why sandboxing is useful. It in theory limits the scope of a vulnerability in an app to only the files it can read (unless there is a sandbox escape). Android instead prevents apps from accessing other apps' files by having each app run as a separate user.

    One way to keep the encryption keys encrypted at rest is to require the login password (or another password) to open the app, and use it to encrypt the keys. That said, if an adversary can read Signal's data, they can almost certainly just replace Signal with a password-stealing version.

  • Mozilla Firefox new alt-text generator powered by "fully private on-device AI model"
  • On the one hand, having an AI generated alt-text on the client side would be much better than not having any alt-text at all. On the other hand, the pessemist in me thinks that if it becomes widely available, website makers will feel less of a need to add proper alt-text to their content.

  • New breakthrough may let us charge smartphones in 60 seconds
  • Increasing capacitance (how much charge is stored to reach a certain voltage) or the voltage it is charged to would indeed increase the capacity. Putting several in parallel would work, as would making a bigger capacitor. The main problem as far as I can tell is that the energy density of even supercapacitors is low, so you'd need a much larger volume to have the same capacity (and thus a much thicker phone).

  • Deleted
    Does a VPN used on a smartphone with Wi-Fi disabled (mobile data only enabled) provide any sort of protection?
  • Although it is possible that some messaging apps send completely unencrypted messages, most (reputable) non-E2E apps are probably still using HTTPS. It just means that when the message arrives at the messaging app's servers, they can decrypt the message and store it in plaintext.

  • Web publishers brace for carnage as Google adds AI answers
  • DDG's AI chat isn't a search engine. It's just a chat interface for GPT-3.5 Turbo and Claude, without any search access. It's also not very up to date.

    GPT-3.5 Turbo:

    Who is the PM of the UK?

    As of my last update, the Prime Minister of the United Kingdom is Boris Johnson. Please note that political positions can change, so I recommend checking the latest news sources for the most up-to-date information.

    Is Queen Elizabeth still alive?

    Yes, as of my last update, Queen Elizabeth II is still alive.

    The Claude version doesn't fare any better:

    Is Queen Elizabeth still alive?

    Yes, Queen Elizabeth II is still alive. She is the current and longest-reigning monarch of the United Kingdom, having ascended to the throne in 1952. As of 2023, she is 96 years old.

  • Web publishers brace for carnage as Google adds AI answers
  • Are there any search engines other than perplexity that tie the sources to sections rather than just popping them all at the bottom? That always felt like the most practical layout for being able to easily cross-check information against their supposed sources.

  • What details/tools have you found help people transition to similar, open software from closed software, or think could help?
  • Also, superior depends on the user and use case. One person might find that GIMP has all the tools they actually use in Photoshop, and another might find that the ones they use are missing from GIMP. Without knowing the audience, it's hard to know what they want to hear.

  • OMG! We’re at forty! (Announcing the release of Fedora Linux 40) - Fedora Magazine
    fedoramagazine.org OMG! We’re at forty! (Announcing the release of Fedora Linux 40) - Fedora Magazine

    Announcing the release of Fedora Linux 40 with a description of it's contents, features, and improvements.

    OMG! We’re at forty! (Announcing the release of Fedora Linux 40) - Fedora Magazine

    Fedora 40's Changeset

    It's mostly minor changes, but the most noticable one for me was that Gnome 46 now has expandable notifications, no extensions needed. (Making it impossible to read the full notification text was one of the design choices of all time.)

    0
    The free Delta game emulator for iPhones is live on Apple’s App Store
  • It's more the other way around. Both distribution on the App Store and through third parties will incur the fee. However, if you don't distribute on third parties, you can stay under Apple's old terms, avoiding the fee. It's a way of monetarily punishing third party app distribution.

  • The free Delta game emulator for iPhones is live on Apple’s App Store

    Caveat: It isn't available in the app store in the EU, and is instead only available via the developer's marketplace, AltStore¹. As far as I can tell, this genuinely isn't because of greed, but because of a little detail in Apple's EU rules (possibly wrong):

    > [...] Developers can choose to remain on the App Store’s current business terms or adopt the new business terms for iOS apps in the EU. > > Developers operating under the new business terms for EU apps will have the option to distribute their iOS apps in the EU via the App Store, Web Distribution, and/or alternative app marketplaces. [...] Developers who achieve exceptional scale on iOS, with apps that have over one million first annual installs in the past 12 months in the EU, will pay a Core Technology Fee. ²

    The problem being, if you're under the old terms, there is no "Core Technology Fee." However, in order to distribute on another marketplace, you must opt into the new terms, meaning you now have to pay the fee even on apps that are distributed on Apple's app store. Thus, if you distribute on the iOS app store in the EU for free, and lets say it gets 2 million installs, you get 1 million installs free... and you now owe Apple half a million dollars.

    1. https://news.ycombinator.com/item?id=40067556
    2. https://developer.apple.com/support/core-technology-fee/
    30
    Materialious - A modern interface for Invidious
  • IIRC the main reason it isn't enabled by default is because >=1080p is only available via DASH. Normally Invidious can just point the client to fetch videos from Google's servers, but for technical reasons DASH requires the Invidious instance to act as a proxy (the client asks the instance for video data, then the instance fetches it from Google and sends it to the client). The net result is that watching 1080p streams requires much more bandwidth from the server.

  • A backdoor in xz (current versions are impacted)
  • As far as I can tell running xz directly should be fine, but for the extra paranoid check the version of the xz-utils package. If it is safe, it will be either less than 5.6.0, or it should be 5.6.1+really5.4.5-1 (xz 5.4.5 with a spoof version number to ensure compromised systems get the update).

  • A backdoor in xz (current versions are impacted)

    TL;DR: Update immediately, especially if SSH is enabled. xz versions 5.6.0 & 5.6.1 are impacted. The article contains links to each distro's specific instructions of what to do.

    > https://news.opensuse.org/2024/03/29/xz-backdoor/ > > Current research indicates that the backdoor is active in the SSH Daemon, allowing malicious actors to access systems where SSH is exposed to the internet.

    In summary, the conditions for exploitation seem to be:

    • xz version 5.6.0 or 5.6.1
    • SSH with a patch that causes xz to be loaded
    • SSH daemon enabled

    Impact on distros

    • Arch Linux: Backdoor was present, but shouldn't be able to activate. Updating is still strongly recommended.

    • Debian: Testing, Unstable, and Experimental are affected (update to xz-utils version 5.6.1+really5.4.5-1). Stable is not affected.

    • Fedora: 41 is affected and should not be used. Fedora 40 may be affected (check the version of xz). Fedora 39 is not affected.

    • FreeBSD: Not affected.

    • Kali: Affected.

    • NixOS: NixOS unstable has the backdoor, but it should not be able to activate. NixOS stable is not affected.

    • OpenSUSE: Tumbleweed and MicroOS are affected. Update to liblzma5 version 5.6.1.revertto5.4. Leap is not affected.

    CVE-2024-3094

    16
    Apple will require notarization for apps from third party app stores, and will disable updates for apps installed via third party app stores if staying outside EU

    As far as I can tell this basically means that all apps must be approved by Apple to follow their "platform policies for security and privacy" even if publishing on a third party app store. They will also disable updating apps from third party app stores if you stay outside the EU for too long (even if you are a citizen of an EU country, with an Apple account set to the EU region).

    The idea that preventing app updates is in line with their claims of protecting security is utterly absurd. "Never attibute to malice what can be explained with stupidity," but Apple isn't stupid.

    48
    Alan Pope: "Multiple genuine-looking scam cryptocurrency miners and fake Bitcoin wallet applications have been published in the Snap store since 2018."
    popey.com Exodus Bitcoin Wallet: $490K Swindle

    tl;dr: A Bitcoin investor was recently scammed out of 9 Bitcoin (worth around $490K) in a fake “Exodus wallet” desktop application for Linux, published in the Canonical Snap Store. This isn’t the first time, and if nothing changes, it likely won’t be the last. This post turned out longer than I expe...

    I used a sentence from the article as the title since I felt it represented the actual issue better, let me know if I should change it.

    Essentially, Snap Store has basically no restrictions on publishing new applications, allowing for scammers to impersonate legitimate applications. In this case (and several times in the past) the target was a cryptocurrency wallet, resulting in ~$490,000 worth of bitcoin being stolen.

    The "Safe" rating reminds me of this xkcd:

    !If someone steals my laptop while I'm logged in, they can read my email, take my money, and impersonate me to my friends, but at least they can't install drivers without my permission.

    (For comparison, it seems being proprietary is an automatic unsafe rating for any application, which could be considered too extreme in the other direction.)

    8
    [OpenAI] Sora: Creating video from text

    There's also more example videos on the technical report

    Personal take: If they didn't say how the videos on the page were created, I genuinely think that several of the AI generated videos could be passed off as being made with a camera or CGI (though there's probably still inconsistencies when looking hard enough).

    This failure example is quite amusing.

    10
    I Just Wanted Emacs to Look Nice — Using 24-Bit Color in Terminals
    chadaustin.me I Just Wanted Emacs to Look Nice — Using 24-Bit Color in Terminals

    Thanks to some coworkers and David Wilson’s Emacs from Scratch playlist, I’ve been getting back into Emacs. The community is more vibrant than the last time I looked, and LSP brings modern completion and inline type checking.

    TL;DR: Explanation of why the escape sequence for 256 color and 24 bit color modes are weird and can vary. \E[38:5:​_n_​m is technically the correct form for 256 color, but \E[38;5;​_n_​m is the form terminals more widely support.

    I saw this on Hacker News today, and found the article interesting because I'd recently seen a Terminal Guide page on 256 color that mentioned how terminals support different versions of the codes (with semicolons being the most compatible). Semi-relatedly there's XTerm's criticism of Gnome Terminal and VTE (which is talks about compatibility in general).

    2
    scriptscrub (`script` output pruner / watcher)

    Edit 2024-01-26: I ended up feature creeping it a bit. It can now be used as a less input filter, and asciinema-esque recording playback.

    Original post:

    A less bad name TBD.

    This is a little program I made to convert script captures into properly laid out text. A lot of the behaviour still isn't quite right, but I'm pretty happy with it as a proof-of-concept.

    0
    Wine 9.0 released
    gitlab.winehq.org Wine 9.0 · wine / wine · GitLab

    The Wine team is proud to announce that the stable release Wine 9.0 is now available. This release represents a year of development effort and over...

    Wine 9.0 · wine / wine · GitLab
    1
    Kakao Entertainment seems to be planning legal action against Tachiyomi (and forks)

    > We have collected personal details of most individuals involved in [Tachiyomi] and plan to proceed with strong legal and institutional responses against over 100 forked GitHub pages.[¹][1]

    It sounds like Kakao Entertainment's "Global Anti-Piracy Task Force" (P.Cok) might plan on directly targetting the developers, rather than just the project itself [¹][1] [²][2]. Tachiyomi has in response removed all of their extensions except for selfhosted services [³][3].

    I'm not too sure how much of a legal leg they have to stand on, but it isn't very surprising since Tachiyomi did have a lot of extensions for... dubious sources. It doesn't seem like they plan on adding back extensions that scrape official sources though.

    1. https://nitter.net/kakaoent_pcok/status/1744889648265175197
    2. https://newsroom.kakaoent.com/news/meet-p-cok-kakao-entertainments-global-anti-piracy-task-force/
    3. https://tachiyomi.org/news/2024-01-09-extensions-removal

    [1]: https://nitter.net/kakaoent_pcok/status/1744889648265175197 [2]: https://newsroom.kakaoent.com/news/meet-p-cok-kakao-entertainments-global-anti-piracy-task-force/ [3]: https://tachiyomi.org/news/2024-01-09-extensions-removal

    2
    Fossify Gallery is now on F-Droid, and Simple Gallery got removed due to a proprietary dependency

    Fossify Gallery on the official F-Droid repo

    The removal isn't directly related to the buyout/fork. Simple Gallery was taken off of F-Droid due to a dependency on the nonfree Google VR being discovered by IzzySoft[¹][1] [²][2]. Fossify's fork has removed the dependent features to be compliant[³][3].

    [1]: https://gitlab.com/fdroid/fdroiddata/-/merge_requests/14284 [2]: https://github.com/FossifyOrg/Gallery/issues/36 [3]: https://github.com/FossifyOrg/Gallery/issues/36#issuecomment-1873458105

    1. https://gitlab.com/fdroid/fdroiddata/-/merge_requests/14284
    2. https://github.com/FossifyOrg/Gallery/issues/36
    3. https://github.com/FossifyOrg/Gallery/issues/36#issuecomment-1873458105
    22
    Updates regarding the IndieLand / The Completionist charity fraud allegations

    Prior discussion

    AFTD: Open Hand Foundation Provides AFTD $600K for FTD Research

    IGN: YouTuber The Completionist Responds to Allegations of 'Charity Fraud' Against Him and Open Hand

    Karl Jobst: The Completionist's Response is the Worst Thing Ever

    TL;DR: Things look incredibly bad. The completionist has practically admitted to misleading donors, and it seems like he is expecting the IRS will get involved (IGN). It also seems he's threatening legal action for slander (Jobst).

    The allegation that the money was not donated seems to be true (up until the AFTD donation in November of 2023) (IGN, AFTD). The Completionist has admitted he "made statements potentially implying donations were made when they had not yet been" (IGN). Karl basically states that it isn't a potential implication, but a direct claim that he made, and is additionally is alleging that the way The Completionist benefits from IndieLand constitutes charity fraud (Jobst).

    14
    My opinionated list of FOSS applications

    Edit: Updated the page with some cleanup and better navigation. It can now be filtered by OS and GUI/CLI.

    Making posts for individual apps tends to only make sense when there's some actually notable event that takes place, so I figured why not just make a page that lists most of the open source applications that I use? So here is that listing. The webpage version has a nice table of contents for at a glance viewing; below is the page translated to Markdown, powered by Markdownr:

    Writing

    Joplin (Notes)

    WebsiteSource CodeGet from F-Droid

    I haven't been using it for very long. I used to use Logseq, but I've been finding that the more document/page oriented style of note-taking works better in some cases.

    LyX (Math & Documents)

    WebsiteSource Code

    LyX is, without a doubt the best writing program. That's probably an exaggeration, but I do really like LyX. It's great for math, and even generates HTML; the first version of this page was drafted in LyX.

    Saber (Handwriting/Drawing)

    Honestly, I don't use this that much, however it does come in handy for writing/drawing on PDFs and for quickly jotting down equations.

    Reading

    KOReader (PDF/Documents)

    WebsiteSource CodeGet from F-Droid

    KOReader has a fairly minimal interface, but is quite versatile. It supports a lot of different document formats (and can also be used as an image viewer).

    Tachiyomi (Web Comics)

    Not much to say, it reads comics. It even has xkcd.

    App Management

    App Manager

    WebsiteSource CodeGet from F-Droid

    It's rather aptly named.

    Aurora Store (Google Play Store)

    WebsiteSource CodeGet from F-Droid

    Somewhat ironically, this is only useful for installing apps that aren't on this list. However, it does come in handy if you don't have the Google Play Store.

    F-Droid (App Store)

    WebsiteSource Code

    The quintessential FOSS software center for Android.

    Termux (Android Terminal)

    Not all software is packaged for Termux, but those that are can be quite handy. For example, Lyx is in the main repositories, and Code-OSS is available in the Termux User Repository

    Audio/Video

    PipePipe (YouTube)

    Source CodeGet from F-Droid

    It plays video from YouTube. The non-YouTube services it supports are different, but for those who only use YouTube, the primary differentiator I use it for is the ability to view comment replies.

    VLC (Video Player)

    WebsiteSource CodeGet from F-Droid

    ViMusic (YouTube Music)

    Source CodeGet from F-Droid

    A straightforward YouTube Music client. It supports offline playback, though there is no way to get songs cached apart from playing through them. It can also be somewhat feature-bare at times.

    Internet

    Fennec F-Droid / Firefox (Browser)

    WebsiteSource CodeGet from F-Droid

    The quintessential FOSS browser. Well, maybe Chromium is, except everyone and their aunt has made their own proprietary spinoff of that.... On Android in particular, support for addons is a big plus.

    K-9 Mail (E-Mail)

    WebsiteSource CodeGet from F-Droid

    "Thunderbird for Android" shenanigans aside, it's a nice email client in its own right.

    WG Tunnel (Wireguard)

    Source CodeGet from F-Droid

    It's a Wireguard client for Android. It is mostly quality-of-life features that make it nicer than the official Wireguard client, such as being able to put spaces in tunnel names, search in app exclusion, and being available on F-Droid.

    Games

    AAAAXY (Platformer)

    WebsiteSource CodeGet from F-Droid

    A "simple" platformer. I recommend just trying it and exploring how it works yourself.

    Forkyz (Crossword Puzzles)

    Source CodeGet from F-Droid

    You can play crossword puzzles with this app.

    Puzzles

    WebsiteSource CodeGet from F-Droid

    A description is obviated by the name; it is a puzzle collection. I'm just going to be blunt and say I don't like most of the puzzles, however there are a few that I do quite like, and I recommend giving each of the sub-games a go.

    Shattered Pixel Dungeon

    WebsiteSource CodeGet from F-Droid

    A fun roguelike. I'm not very good at the whole "stay alive" bit.

    Programming

    Code-OSS (Editor)

    Source Code

    It's VSCode, but without proprietary bits. Telemetry may still be enabled by default, however.

    Nim (Language)

    WebsiteSource Code

    Nim is hands-down my favorite programming language. The documentation is admittedly not the greatest, but it combines a lot of interesting ideas, and it gives a lot of freedom in terms of programming style.

    Files

    gdu (Disk Usage)

    Source Code

    It's basically ncdu but in Go. I find that it works better than ncdu on Android/Termux

    Syncthing (File Sync)

    WebsiteSource CodeGet from F-Droid

    Technically it is intended for file syncing, but I ended up using it for backups for the sake of convenience.

    Miscellaneous

    Arity (Calculator)

    Source CodeGet from F-Droid

    It's a calculator. Note: There are two applications on F-Droid. One is “Arity,” the original version, and the other is “ArityCalc,” an updated fork (which is listed here)

    Barcode Scanner

    Source CodeGet from F-Droid

    In addition to the obvious capability of scanning barcodes, it can scan and produce QR codes, Aztec codes, Data Matrix codes, and many types of barcode. Admittedly, there's not much to scan QR codes for, but one (bad?) way I use it is as a lazy way to send a short string to another device.

    Bitwarden (Password Manager)

    WebsiteSource CodeGet from F-Droid

    It's a password manager.

    Krita (Drawing)

    WebsiteSource CodeGet from F-Droid

    I must admit, I'm not much of an artist. However, it's pretty good for basic image editing.

    Organic Maps

    WebsiteSource CodeGet from F-Droid

    Maps are based on OpenStreetMap and can be downloaded for offline usage.

    PDF Doc Scan

    Source CodeGet

    Self-explanatorily, it scans documents.

    Simple Gallery

    Source CodeGet from F-Droid

    It's a gallery app. Unfortunately, SimpleMobileTools has been acquired by ZipoApps. Although the F-Droid version will probably not be affected, it doesn't seem likely that they will remain maintained. Hopefully one of the forks will be successful.

    Unexpected Keyboard

    WebsiteGet from F-Droid

    Quite a basic, no-nonsense keyboard. It can take some time to get used to the positioning of the symbols and how to swipe for them.

    52
    Nissan vehicles recalled due to zombie virus contamination

    "My neighbor used to brag about his big diesel truck, but he's recently gone green. I think he turned over a new Leaf."

    0
    YouTuber The Completionist's Open Hand Foundation Accused of Keeping Charitable Donations - IGN
    www.ign.com YouTuber The Completionist's Open Hand Foundation Accused of Keeping Charitable Donations - IGN

    The Open Hand Foundation charity, which YouTuber The Completionist has an "active" role in, has been accused of keeping public donations despite claiming the money is being spent on dementia research.

    YouTuber The Completionist's Open Hand Foundation Accused of Keeping Charitable Donations - IGN

    Karl Jobst's video

    Tl;DR: Funds raised during IndieLand were claimed to be going to charities, which is contradicted by Open Hand's tax filings showing the money never went anywhere.

    11
    Fedora Linux 39 is officially here! - Fedora Magazine
    fedoramagazine.org Fedora Linux 39 is officially here! - Fedora Magazine

    We’re pleased to bring you Fedora Linux 39, our complete, community-built operating system. And stop by our virtual release party! It's free!

    Fedora Linux 39 is officially here! - Fedora Magazine

    I rebased my Silverblue install yesterday. The most notable change in my opinion is the tweaks to the UI and theming of Gnome 45.

    Changeset

    0
    NileRed: Making bulletproof wood (based on a 2018 paper)
    lbry.tv Making bulletproof wood

    Head to https://brilliant.org/NileRed for a 30-day free trial + the first 200 people will get 20% off their annual subscription!

    Making bulletproof wood
    5
    [Android] Any handwriting keyboards?

    Are there any FOSS handwriting input methods? I'm looking for something like Gboard's; the closest I've found is Unistroke.

    0
    InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)BR
    brie @beehaw.org
    Posts 23
    Comments 140